Log4j, a Java-based logging library, has raised security risks for cybersecurity teams all over the world. Here’s what we know so far about the newfound security risk…
In the world of cybersecurity, a new security risk has made a stir. Log4j, a Java-based logging library, has raised several security concerns for cybersecurity teams all over the world. Attackers are actively exploiting the flaws, and these malicious activities are only expected to increase in the coming days.
The Vulnerability
The source of the security risk is from a vulnerability in Log4j, a widely used Java-based logging library developed by the Apache Software Foundation.
Since Log4j is used by several services, like Apple iCloud, popular gaming service Steam and online game Minecraft, the security vulnerability is considered one of the most dangerous one discovered in recent years.
The security risk is even more alarming because it has been discovered to be actively exploited in the wild, therefore the zero-day status. A zero-day exploit indicates that hackers are actively targeting the flaw, and that a fix has not yet reached all of the vulnerable systems.
A proof-of-concept exploit that has been released online since the vulnerability was made public has added to these fears. The concept implies that everyone using Log4j could be a potential target for attacks that could trigger Remote Code Execution (RCE). Hence, in order to be stay protected from such through the vulnerability, it’s crucial to learn more about the newfound security risk. Here’s everything we know thus far about it.
Technicalities
CVE-2021-44228, also known as Log4Shell or LogJam, is a security risk associated with Log4j. As it affects all versions of Log4j, it has been regarded as one of the most severe security risks currently on the internet. Versions 2.0-beta-9 to 2.14.1 of Log4j are included. Since Log4j is used by so many systems, this simply exposes a large number of services to the vulnerability.
As mentioned by Sean Gallagher, Senior Threat Researcher at Sophos, “Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organization’s infrastructure, for example, any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security.”
The vulnerability was identified by Chen Zhaojun of the Alibaba Cloud Security Team, according to a blog post on Apache Logging Services. The vulnerability was rated a ten by the Apache team as per the Common Vulnerability Scoring System (CVSS). This indicates that the Log4Shell has been classified as “Critical” vulnerability.
The blog states that such security risks “could potentially be exploited by a remote attacker.” Log4j can be used to run arbitrary code on a system by an attacker. Worms can even take advantage of such flaws automatically.
The security team at Sophos showed how easily the security flaw in Log4j can be exploited for remote code execution in a demonstration on a local computer. An attacker who understands the right data format can use the Log4j vulnerability to send a Java program to your server that infects it with the malware.
According to the report by Sophos, this is described as a “uncomplicated, reliable, by-design remote code execution (RCE),” that is triggered by nothing other than user-supplied data. Surprisingly, this data may be logged for auditing or security purposes.
LDAP, or Lightweight Directory Access Protocol, is exploited by Log4Shell. This is a software protocol that allows anyone within a network to locate data about resources such as files and devices. This network could be on the Internet or within a corporate Intranet.
In this case, the Network Device Interface (NDI) features used in “configuration, log messages, and parameters” do not defend against attackers. It is said that “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers,” This is possible when message lookup substitution is enabled.
Concluding Words
The issue has been fixed in Log4j 2.15.0, the most recent version of the Log4j library, as message lookup substitution is disabled by default in Log4j 2.15.0. Hence, it is recommended that all IT teams should find all codes in their networks for that is coded in Java and check whether it uses the Log4j library. Log4j versions that are out of date should be upgraded as soon as possible.
Sophos has seen large scale attempts trying to exploit the Log4j flaw. So far, “hundreds of thousands” of such attempts have been discovered, according to the Sophos.
The attackers appear to be carrying out these attacks for a variety of malicious reasons. Some of the attackers try to infect systems with Cryptomining botnets, while others try to extract information from services like Amazon Web Services. According to Sophos, these attacks are only going to get worse in the following days and weeks.